HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2008-123
Multiple Vulnerabilities in Microsoft Excel

Original Issue Date: August 14, 2008

Severity Rating: High

Systems Affected

  • Microsoft Office 2000 Service Pack 3
  • Microsoft Office XP Service Pack 3
  • Microsoft Office 2003 Service Pack 2
  • Microsoft Office 2003 Service Pack 3
  • 2007 Microsoft Office System
  • 2007 Microsoft Office System Service Pack 1
  • Microsoft Office Excel Viewer 2003 (KB951589)
  • Microsoft Office Excel Viewer 2003 Service Pack 3 (KB951589)
  • Microsoft Office Excel Viewer (KB955472)
  • Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats (KB951596)
  • Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007
  • File Formats Service Pack 1 (KB951596)
  • Microsoft Office SharePoint Server 2007 (KB953397)
  • Microsoft Office SharePoint Server 2007 Service Pack 1 (KB953397)
  • Microsoft Office SharePoint Server 2007 x64 Edition (KB953397)
  • Microsoft Office SharePoint Server 2007 x64 Edition Service Pack 1 (KB953397)
  • Microsoft Office 2004 for Mac (KB956343)
  • Microsoft Office 2008 for Mac (KB956344)

Overview

Multiple vulnerabilities have been reported in Microsoft Excel that could allow a remote attacker to execute arbitrary code and to take complete control of an affected system.

Description

 1. Excel Credential Caching Vulnerability (CVE-2008-3003)
   

 n elevation of privilege vulnerability has been reported in Excel 2007.This vulnerability is caused when Excel 2007 does not delete the PWD (password) string from connections.xml when data connections are made to a remote data sources. An attacker could exploit this vulnerability to gain access to a secured remote data source by opening an .xlsx file that had been explicitly configured not to store credentials to the remote data source.

Workarounds

  • Edit the connections.xml inside the .xlsx file and manually remove the password
    • Windows Shell method
    • WinZip method

  • Use Excel 2007 to encrypt the file with the data connections
  • From within Excel 2007, save the file in the Excel 97-2003 file format

2. Excel Indexing Validation Vulnerability (CVE-2008-3004)

A remote code execution vulnerability has been reported in Excel 2007 in the way Excel 2007 processes index values when loading Excel files into memory. This vulnerability is caused due to improper handling of "AxesSet" records within a chart embedded in a spreadsheet. This record is typically used for setting the location and size of a set of axes on a chart. While processing malformed Excel spreadsheet (XLS), Excel does not check the record, which is used as an index into the array of chart axes that contain an out-of-bound array value, could cause memory corruption.

Workarounds

  • Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources
  • Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations
  • Do not open or save Microsoft Office files received from untrusted sources

3.  Excel Index Array Vulnerability (CVE-2008-3005)

A remote code execution vulnerability has been reported in Excel 2007 in the way Excel processes an array index when loading Excel files into memory. This vulnerability is caused due to improper handling of "FORMAT" records within a malformed Excel spreadsheet (XLS) with an out-of-bounds array index, could cause Excel to write a byte to arbitrary locations in stack memory and allow attacker to execute arbitrary code with the privileges of the current user.

Workaround

  • Do not open or save Microsoft Office files received from untrusted sources

4.  Excel Record Parsing Vulnerability (CVE-2008-3006)

A remote code execution vulnerability has been reported in Excel 2007 in the way Excel parses record values when loading Excel files into memory.
An attack against a user's local Excel client could allow attacker to execute remote code onto victims computer by convincing user to open specially crafted file.
An attack against a Microsoft Office SharePoint Server 2007 site could allow remote attacker to gain an elevation of privilege within SharePoint server.

Workarounds

  • On Excel client systems, use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources
  • On Excel client systems, use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations
  • Do not open or save Microsoft Office files received from untrusted sources

A Remote attacker could exploit these vulnerabilities by enticing user to open specially crafted Excel file, to execute arbitrary code on target system. Successful exploitation of these vulnerabilities could allow remote attacker to take complete control of the vulnerable system.

Solution

 Apply appropriate patches as mentioned in Microsoft Security Bulletin MS08-043


Vendor Information

 Microsoft
http://www.microsoft.com/technet/security/bulletin/ms08-043.mspx

References

 iDefense Labs
http://labs.idefense.com/intelligence/vulnerabilities/display.php?
id=740
http://labs.idefense.com/intelligence/vulnerabilities/display.php?
id=741

FrSIRT
http://www.frsirt.com/english/advisories/2008/2347

SecuriTeam
http://www.securiteam.com/windowsntfocus/5XP0F0UP5A.html

Secunia
http://secunia.com/advisories/31454/

CVE Name
CVE-2008-3003
CVE-2008-3004
CVE-2008-3005
CVE-2008-3006

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003